By adhering to cybersecurity best practices, election organizations—including state, local, tribal, and territorial (SLTT) governments—can improve the security of their election systems. The Cybersecurity and Infrastructure Security Agency (CISA) Hunt and Incident Response Team (HIRT) developed the best practices in this tip from lessons learned through engagements with SLTT governments, election stakeholders, and others. Organizations can implement these best practices, which harden enterprise networks and strengthen election infrastructure, at little or no cost. CISA’s election systems best practices cover the following topics:Software and Patch Management

Implementing an enterprise-wide software and patch management program reduces the likelihood of an organization experiencing significant cybersecurity incidents. A software and patch management program includes the establishment of an enterprise-wide inventory list, which provides an organization with greater insight into the software running on its networks and associated vulnerabilities. The organization can then use the inventory list to help identify and mitigate the risks to its election-related information technology (IT) infrastructure. Mitigations often include implementing application whitelisting, a best practice. (See Implementing Application Whitelisting.)
CISA has observed a correlation between the absence of a patch management program and the partial or complete compromise of an enterprise network due to the presence of commodity malware. Commodity malware is widely available, has minimal or no customization, and used by a wide range of threat actors. A partial or complete compromise could lead to additional impacts, including ransomware infection and the theft of sensitive data, which may include personally identifiable information.
Failure to deploy patches in a timely manner can make an organization a target of opportunity, even for less sophisticated actors, increasing the risk of compromise. If an enterprise-wide patch management solution is too costly, an organization should consider enabling automatic updates. CISA recommends organizations subscribe to the National Cybersecurity Awareness System for alerts about security updates, threats, and vulnerabilities. This will assist organizations in maintaining situational awareness of critical vulnerabilities present in software widely used throughout their enterprise environments. It is vital to act quickly to apply patches, especially if there is an associated vulnerability being exploited.

Log Management

Retaining and adequately securing logs from both network devices and local hosts supports triage and remediation of cybersecurity events. An organization can analyze the logs to determine the impact of cybersecurity events and ascertain whether an incident has occurred.Centralized Log Management

Organizations should set up centralized log management:

Forward logs from local hosts to a centralized log management server—often referred to as a security information and event management (SIEM) tool. CISA has observed threat actors attempting to delete local logs to remove on-site evidence of their activities. By sending logs to a SIEM tool, an organization can reduce the likelihood of malicious log deletion.

Correlate logs from both network and host security devices. By reviewing logs from multiple sources, an organization can better triage an individual event and determine its impact to the organization as a whole.

Review both centralized and local log management policies to maximize efficiency and retain historical data. CISA recommends that organizations retain critical logs for a minimum of one year, if possible.

Update PowerShell and Enable Advanced Logging

In addition to setting up centralized logging, organizations should ensure that instances of PowerShell are logging activity. PowerShell is a cross-platform command-line shell and scripting language that is a component of Microsoft Windows. CISA has observed threat actors, including APT actors, using PowerShell to hide their malicious activities.

Update PowerShell instances to version 5.0 or later and uninstall all earlier PowerShell versions. Logs from PowerShell prior to version 5.0 are either non-existent or do not record enough detail to aid in enterprise monitoring and incident response activities.

Organizations can limit the impact of a cybersecurity incident by enforcing network segmentation. Proper network segmentation is an effective security mechanism to prevent an intruder from propagating exploits or laterally moving around an internal network. On a poorly segmented network, intruders are able to extend their impact to control critical devices or gain access to sensitive data and intellectual property. Segregation separates network segments based on role and functionality. A securely segregated network can contain malicious occurrences, reducing the impact from intruders in the event that they have gained a foothold somewhere inside the network. (See Securing Network Infrastructure Devices.) During on-site engagements, CISA has observed organizations without effective network segmentation suffer commodity malware compromises of all Windows hosts in their environments.
Organizations should define their distinct organizational components (e.g., human resources, IT administration, demilitarized zone, elections) and create a separate Virtual Local Area Network (VLAN) for each component. Alternatively, if feasible, organizations should implement physical network segmentation for each component. CISA recommends that organizations restrict traffic between VLANs following the principle of least privilege. See below for additional guidance for protecting elections-specific VLANs.Segment Elections-Related Hosts from the General User Network

Use dedicated servers and workstations for elections-related tasks. Organizations should never allow workstations with elections-related roles—such as submitting election results to a reporting server—to be used for general purpose computing, such as browsing the internet. Organizations should ensure up-to-date patching of workstations and servers dedicated to elections-related tasks.

Follow the principle of least privilege. Organizations should only allow elections-related VLANs to communicate with machines unrelated to elections on an as-needed basis. Other network traffic should be explicitly denied (e.g., by using a DENY/DENY ruleset).

Many organizations set their security devices to alert on suspicious activity instead of blocking it. When an organization does not block suspicious activity by default, it increases the likelihood of adverse events that allow an adversary to compromise IT resources. Organizations should follow best practices in disabling network protocols known to spread malware, such as Server Message Block version 1 (SMB v1). (See SMB Security Best Practices.)Prevent Malware and Malicious Traffic

Organizations should perform the following actions to block malicious traffic and malware:

Before restricting macro-enabled documents, determine if any users need macro-enabled documents to perform their work functions. If macros are not used, disable them by GPO.

If blocking macro-enabled documents across an organization is too restrictive, consider alternative solutions, such as only allowing macro-enabled documents for specific users or blocking macros from running when received as email attachments from external users.

Disable SMB v1

In the course of recent engagements, CISA has observed threat actors using SMB v1 to spread malware across organizations. Based on this specific threat, CISA recommends organizations consider the following actions to protect their networks:

Disable SMB v1 internally on their network.

Block all versions of SMB at the network boundary by blocking Transmission Control Protocol (TCP) port 445 with related protocols on User Datagram Protocol ports 137–138 and TCP port 139.

Credential Management

Managing passwords and using strong passwords are important steps in preventing unauthorized access to databases, applications, and other election infrastructure assets. Multi-factor authentication (MFA), in particular, can help prevent adversaries from gaining access to an organization’s assets even if passwords are compromised through phishing attacks or other means. Threat actors have the capability to defeat single-factor authentication, especially when passwords are weak (e.g., common or trivial passwords) or—taking into account credential reuse—have been exposed in unrelated third-party breaches. CISA has published the following guidance to assist organization in achieving the goal of fully preventing unauthorized access:

Implement MFA to prevent unauthorized access, particularly by external users, including APT actors. (See Using Rigorous Credential Control to Mitigate Trusted Network Exploitation and Supplementing Passwords.) MFA requires users to present two or more credentials (e.g., a password and the use of a hardware token) at login to verify their identity before being granted access to a given system. Organizations should consider implementing MFA for voter registration, election night reporting, and associated enterprise IT systems.

Enforce password best practices, including the use of unique and complex passwords to access different systems and accounts. Accounts with additional privileges (e.g., administrator accounts) should have password requirements that are more stringent than those for standard users. (See Choosing and Protecting Passwords.)

An organization’s IT personnel are critical in determining what is and is not normal and expected host or network activity. With the appropriate tools, IT personnel are well positioned to determine whether observed anomalous activity warrants further investigation. During on-site engagements, CISA uses the following metrics to establish a baseline for expected network- and host-based activity:Network Baseline

Specific metrics should include expected bandwidth usage for

The organization,

Each user (if possible),

Remote access,

Ports,

Protocols, and

File types.

Organizations should consider variables such as the time of day traffic occurs, i.e., remote access is more suspicious occurring at 1 a.m. than during standard business hours.

Including additional metrics—such as the destination of network traffic and the destination Internet Protocol (IP) address’s geographic location—establishes a more detailed baseline.

Organizations should compare their baseline traffic with the rules from their boundary firewalls to ensure that the rules are acting as intended and align with industry best practices.

Host Baseline

Organizations can establish a baseline by creating a “gold image” for workstations and servers. A gold image contains an organization’s standard set of necessary, trusted applications installed for the set of systems for which it is designed. Once created, the organization should document the gold image’s configuration. Organizations should also document approved variations from the gold image, such as tools used by the organization’s network or security teams. Examples of configuration information that may be useful in identifying anomalous activity include

An organization-wide approved software list, which can help determine if detected software is not approved for the organization; and Information on configurations and settings that can be used to automatically launch software after a reboot, including services, scheduled tasks, and autorun programs.

In addition to reviewing files on a system, organizations should review the location of file installation and the validity of the files’ digital certificate, if possible.

Organization-Wide IT Guidance and Policies

Developing and maintaining guidance and policies targeted to specific situations and that assist in implementing best practices throughout the organization benefits an organization’s IT ecosystem. Guidance and policies that can significantly benefit an organization’s cyber hygiene include

Incident severity thresholds and associated role-based actions taken at those thresholds;

A policy establishing a user’s responsibility to notify IT personnel of an IT security event; and

Guidance that helps determine when the organization should notify external parties, such as CISA, the Federal Bureau of Investigation, or the Election Infrastructure Information Sharing and Analysis Center (EI-ISAC) (see Election Infrastructure Subsector Communications Protocol, EI-ISAC Formalized Notification Process, both available from CISA upon request, and Cyber Incident Reporting Unified Message).

Patch management policies;

Password management policies; and

An approved software list.

Guidance and policies like these help formalize expectations for users and IT personnel. Organizations should formally document any exceptions to official guidance and policies.CISA On-Site Engagement Preparation

CISA provides expert intrusion analysis and mitigation guidance to clients who lack in-house capability or require additional assistance with responding to a cyber incident. CISA supports federal departments and agencies, state and local governments, the private sector (industry and critical infrastructure asset owners and operators), academia, and international organizations.
Before CISA can approve an organization’s Request for Technical Assistance (RTA) to provide on-network assistance to SLTT government agencies as part of a hunt or incident response, CISA requires proof that the organization has implemented login consent banners that appear on the screens of all servers and workstations accessed by the organization’s staff and within the scope of the assistance. This login consent banner cannot conflict with other IT resource policies, procedures, or trainings. In many situations, CISA has successfully helped government organizations update their banners in a way that allows CISA assistance. CISA cannot approve deployment to an on-site SLTT engagement involving on-network assistance unless the RTA and login consent banners are approved. For more information regarding consent banners, see the Election Infrastructure Questionnaire.
CISA also strongly recommends that organizations maintain current internal documentation related to the Election Infrastructure Questionnaire. CISA developed the questionnaire to assist organizational documentation of election infrastructure cybersecurity posture and to identify key interdependencies.

Notice and Consent Banners for Computer Systems

This section identifies recommended elements in computing system notice and consent banners and provides an example banner. This section does not include legal advice, and the information it contains is not guaranteed to be accurate or complete. Anyone reviewing or developing a notice and consent banner should consider consulting an attorney and should note that laws can change rapidly, differ from jurisdiction to jurisdiction, and can be subject to various interpretations by various entities. Further, notice and consent banners can require tailoring based on the specific circumstances and legal jurisdiction at issue. The elements or the examples may be inadvisable depending on the entity or situation. Applicable laws may include the Fourth Amendment to the U.S. Constitution, any similar provisions in State Constitutions, and relevant federal- and state-level statutes.Notice and Consent Banner Elements

The banner expressly covers monitoring of data and communications in transit rather than just accessing data at rest.

Example: “You consent to the unrestricted monitoring, interception, recording, and searching of all communications and data transiting, traveling to or from, or stored on this system.”

The banner provides that information in transit or stored on the system may be disclosed to any entity, including to government entities.

Example: “You consent, without restriction, to all communications and data transiting, traveling to or from, or stored on this system being disclosed to any entity, including to government entities.”

The banner states that monitoring will be for any purpose.

Example: “…at any time and for any purpose.”

The banner states that monitoring may be done by the entity or any person or entity authorized by the entity.

Example: “…monitoring or disclosure to any entity authorized by [ENTITY].”

The banner explains to users that they have “no reasonable expectation of privacy” regarding communications or data in transit or stored on the system.

Example: “You are acknowledging that you have no reasonable expectation of privacy regarding your use of this system.”

The banner clarifies that the given consent covers personal use of the system (such as personal emails or websites, or use on breaks or after hours) as well as official or work-related use.

Example: “…including work-related use and personal use without exception….”

The banner is definitive about the fact of monitoring, rather than being conditional or speculative.

Example: “…will be monitored…”

The banner expressly obtains consent from the user and does not merely provide notification.

Note: click-through banners can be best because they force the user to interact with the language.

Note: supporting processes should generally also preserve/provide evidence of the user’s agreement to the terms.

Example: “By using this system, you are acknowledging and consenting to…”

Example: “By clicking [ACCEPT] below…you consent to…”

Nothing in the remainder of the banner or associated policies, agreements, training, etc., is inconsistent with, or otherwise undercuts, the elements of the banner.

Example Banner

By clicking [ACCEPT] below you acknowledge and consent to the following:
All communications and data transiting, traveling to or from, or stored on this system will be monitored. You consent to the unrestricted monitoring, interception, recording, and searching of all communications and data transiting, traveling to or from, or stored on this system at any time and for any purpose by [the ENTITY] and by any person or entity, including government entities, authorized by [the ENTITY]. You also consent to the unrestricted disclosure of all communications and data transiting, traveling to or from, or stored on this system at any time and for any purpose to any person or entity, including government entities, authorized by [the ENTITY]. You are acknowledging that you have no reasonable expectation of privacy regarding your use of this system. These acknowledgments and consents cover all use of the system, including work-related use and personal use without exception.

Note: due to variances among enterprise networks and associated election infrastructure, organizations should not consider these best practices a prescriptive solution for all cybersecurity risks.References

Ransomware is a type of malware threat actors use to infect computers and encrypt computer files until a ransom is paid. (See Protecting Against Malicious Code for more information on malware.) After the initial infection, ransomware will attempt to spread to connected systems, including shared storage drives and other accessible computers.
If the threat actor’s ransom demands are not met (i.e., if the victim does not pay the ransom), the files or encrypted data will usually remain encrypted and unavailable to the victim. Even after a ransom has been paid to unlock encrypted files, threat actors will sometimes demand additional payments, delete a victim’s data, refuse to decrypt the data, or decline to provide a working decryption key to restore the victim’s access. The Federal Government does not support paying ransomware demands. (See the FBI’s ransomware article.)How does ransomware work?

Ransomware identifies the drives on an infected system and begins to encrypt the files within each drive. Ransomware generally adds an extension to the encrypted files, such as .aaa, .micro, .encrypted, .ttt, .xyz, .zzz, .locky, .crypt, .cryptolocker, .vault, or .petya, to show that the files have been encrypted—the file extension used is unique to the ransomware type.
Once the ransomware has completed file encryption, it creates and displays a file or files containing instructions on how the victim can pay the ransom. If the victim pays the ransom, the threat actor may provide a cryptographic key that the victim can use to unlock the files, making them accessible.How is ransomware delivered?

Ransomware is commonly delivered through phishing emails or via “drive-by downloads.” Phishing emails often appear as though they have been sent from a legitimate organization or someone known to the victim and entice the user to click on a malicious link or open a malicious attachment. A “drive-by download” is a program that is automatically downloaded from the internet without the user’s consent or often without their knowledge. It is possible the malicious code may run after download, without user interaction. After the malicious code has been run, the computer becomes infected with ransomware.What can I do to protect my data and networks?

Back up your computer. Perform frequent backups of your system and other important files, and verify your backups regularly. If your computer becomes infected with ransomware, you can restore your system to its previous state using your backups.

Store your backups separately. Best practice is to store your backups on a separate device that cannot be accessed from a network, such as on an external hard drive. Once the backup is completed, make sure to disconnect the external hard drive, or separate device from the network or computer. (See the Software Engineering Institute’s page on Ransomware).

Train your organization. Organizations should ensure that they provide cybersecurity awareness training to their personnel. Ideally, organizations will have regular, mandatory cybersecurity awareness training sessions to ensure their personnel are informed about current cybersecurity threats and threat actor techniques. To improve workforce awareness, organizations can test their personnel with phishing assessments that simulate real-world phishing emails.

What can I do to prevent ransomware infections?

Update and patch your computer. Ensure your applications and operating systems (OSs) have been updated with the latest patches. Vulnerable applications and OSs are the target of most ransomware attacks. (See Understanding Patches and Software Updates.)

Use caution with links and when entering website addresses. Be careful when clicking directly on links in emails, even if the sender appears to be someone you know. Attempt to independently verify website addresses (e.g., contact your organization's helpdesk, search the internet for the sender organization’s website or the topic mentioned in the email). Pay attention to the website addresses you click on, as well as those you enter yourself. Malicious website addresses often appear almost identical to legitimate sites, often using a slight variation in spelling or a different domain (e.g., .com instead of .net). (See Using Caution with Email Attachments.)

Open email attachments with caution. Be wary of opening email attachments, even from senders you think you know, particularly when attachments are compressed files or ZIP files.

Verify email senders. If you are unsure whether or not an email is legitimate, try to verify the email’s legitimacy by contacting the sender directly. Do not click on any links in the email. If possible, use a previous (legitimate) email to ensure the contact information you have for the sender is authentic before you contact them.

Inform yourself. Keep yourself informed about recent cybersecurity threats and up to date on ransomware techniques. You can find information about known phishing attacks on the Anti-Phishing Working Group website. You may also want to sign up for CISA product notifications, which will alert you when a new Alert, Analysis Report, Bulletin, Current Activity, or Tip has been published.

Isolate the infected system. Remove the infected system from all networks, and disable the computer’s wireless, Bluetooth, and any other potential networking capabilities. Ensure all shared and networked drives are disconnected whether wired or wireless.

Turn off other computers and devices. Power-off and segregate (i.e., remove from the network) the infected computer(s). Power-off and segregate any other computers or devices that shared a network with the infected computer(s) that have not been fully encrypted by ransomware. If possible, collect and secure all infected and potentially infected computers and devices in a central location, making sure to clearly label any computers that have been encrypted. Powering-off and segregating infected computers and computers that have not been fully encrypted may allow for the recovery of partially encrypted files by specialists. (See Before You Connect a New Computer to the Internet for tips on how to make a computer more secure before you reconnect it to a network.)

Secure your backups. Ensure that your backup data is offline and secure. If possible, scan your backup data with an antivirus program to check that it is free of malware.

As technology continues to evolve, cyber threats continue to grow in sophistication and complexity. Cyber threats affect businesses of all sizes and require the attention and involvement of chief executive officers (CEOs) and other senior leaders. To help companies understand their risks and prepare for cyber threats, CEOs should discuss key cybersecurity risk management topics with their leadership and implement cybersecurity best practices. The best practices listed in this document have been compiled from lessons learned from incident response activities and managing cyber risk.What should CEOs know about the cybersecurity threats their companies face?

CEOs should ask the following questions about potential cybersecurity threats:

How could cybersecurity threats affect the different functions of my business, including areas such as supply chain, public relations, finance, and human resources?

How can my business create long-term resiliency to minimize our cybersecurity risks?

What kind of cyber threat information sharing does my business participate in? With whom does my business exchange this information?

What type of information sharing practices could my business adopt that would help foster community among the different cybersecurity groups where my business is a member?

What can CEOs do to mitigate cybersecurity threats?

The following questions will help CEOs guide discussions about their cybersecurity risk with management:

What is the threshold for notifying executive leadership about cybersecurity threats?

What is the current level of cybersecurity risk for our company?

What is the possible business impact to our company from our current level of cybersecurity risk?

What is our plan to address identified risks?

What cybersecurity training is available for our workforce?

What measures do we employ to mitigate insider threats?

How does our cybersecurity program apply industry standards and best practices?

Are our cybersecurity program metrics measureable and meaningful?

How comprehensive are our cybersecurity incident response plan and our business continuity and disaster recovery plan?

How often do we exercise our plans?

Do our plans incorporate the whole company or are they limited to information technology (IT)?

How prepared is my business to work with federal, state, and local government cyber incident responders and investigators, as well as contract responders and the vendor community?

Recommended Organizatinal Cybersecurity Best Practices

The cybersecurity best practices listed below can help organizations manage cybersecurity risks.

Elevate cybersecurity risk management discussions to the company CEO and the leadership team.

CEO and senior company leadership engagement in defining an organization's risk strategy and levels of acceptable risk is critical to a comprehensive cybersecurity risk plan. The company CEO—with assistance from the chief information security officer, chief information officer, and the entire leadership team—should ensure that they know how their divisions affect the company’s overall cyber risk. In addition, regular discussion with the company board of directors regarding these risk decisions ensures visibility to all company decision makers.

Executives should construct policy from the top down to ensure everyone is empowered to perform the tasks related to their role in reducing cybersecurity risk. A top-down policy defines roles and limits the power struggles that can hurt IT security.

Implement industry standards and best practices rather than relying solely on compliance standards or certifications.

Lower cybersecurity risks by implementing industry benchmarks and best practices (e.g., follow best practices from organizations like the Center for Internet Security). Organizations should tailor best practices to ensure they are relevant for their specific use cases.

Follow consistent best practices to establish an organizational baseline of expected enterprise network behavior. This allows organizations to be proactive in combatting cybersecurity threats, rather than expending resources to "put out fires."

Compliance standards and regulations (e.g., the Federal Information Security Modernization Act) provide guidance on minimal requirements; however, there is more businesses can do to go beyond the requirements.

Ask the questions that are necessary to understanding your security planning, operations, and security-related goals. For example, it is better to focus on the goals your organization will achieve by implementing overall security controls instead of inquiring about specific security controls, safeguards, and countermeasures.

Create a repeatable process to cross-train employees to conduct risk and incident management as an institutional practice. Often, there are only a few employees with subject matter expertise in key areas.

Ensure cybersecurity risk metrics are meaningful and measurable.

An example of a useful metric is the time it takes an organization to patch a critical vulnerability across the enterprise. In this example, reducing the days it takes to patch a vulnerability directly reduces the risk to the organization.

An example of a less useful metric is the number of alerts a Security Operations Center (SOC) receives in a week. There are too many variables in the number of alerts a SOC receives for this number to be consistently relevant.

Develop and exercise cybersecurity plans and procedures for incident response, business continuity, and disaster recovery.

It is critical that organizations test their incident response plans across the whole organization, not just in the IT environment. Each part of the organization should know how to respond to both basic and large-scale cybersecurity incidents. Testing incident response plans and procedures can help prevent an incident from escalating.

Incident response plans should provide instructions on when to elevate an incident to the next level of leadership. Regularly exercising incident response plans enables an organization to respond to incidents quickly and minimize impacts.

Retain a quality workforce.

Cybersecurity tools are only as good as the people reviewing the tools’ results. It is also important to have people who can identify the proper tools for your organization. It can take a significant amount of time to learn a complex organization’s enterprise network, making retaining skilled personnel just as important as acquiring them. There is no perfect answer to stopping all cybersecurity threats, but knowledgeable IT personnel are critical to reducing cybersecurity risks.

New cybersecurity threats are constantly appearing. The personnel entrusted with detecting cybersecurity threats need continual training. Training increases the likelihood of personnel detecting cybersecurity threats and responding to threats in a manner consistent with industry best practices.

Ensure there is appropriate planning to account for the additional workload related to mitigating cybersecurity risks.

Explore available communities of interest. These may include sector-specific Information Sharing and Analysis Centers, the Homeland Information Sharing Network, or other government and intelligence programs.

Website security refers to the protection of personal and organizational public-facing websites from cyberattacks.Why should I care about website security?

Cyberattacks against public-facing websites—regardless of size—are common. An attack to your website could

Cause defacement,

Cause a denial-of-service (DoS) condition,

Enable the attacker to obtain sensitive information, or

Enable the attacker to take control of the affected website.

Organization and personal websites that fall victim to defacement or DoS may experience financial loss due to eroded user trust or a decrease in website visitors.
A cyberattack that causes a data breach places your company’s intellectual property and your users’ personally identifiable information (PII) at risk of theft.
Cyber criminals may attack websites because of financial incentives such as the theft and sale of intellectual property and PII, ransomware payouts, and cryptocurrency mining (see Defending Against Illicit Cryptocurrency Mining Activity). Cyber criminals may also be motivated to attack websites for ideological reasons, e.g., to gain publicity and notoriety for a terrorist organization through defacing a government website.What security threats are associated with websites?

Possible cyberattacks against your website include those commonly reported in the media, such as website defacement and DoS—which make the information services provided by the website unavailable for users (see Understanding Denial-of-Service Attacks). An even more severe website attack scenario may result in the compromise of customer data (e.g., PII). These threats affect all aspects of security—confidentiality, integrity, and availability—and can gravely damage the reputation of the website and its owner.
A more subtle attack—one that may not be immediately evident to the website’s owner or user—occurs when an attacker pivots from a compromised web server to the website owner’s corporate network, which contains an abundance of sensitive information that may be at risk of exposure, modification, or destruction. Once an attacker uses a compromised website to enter a corporate network, other assets may be available to the attacker, including user credentials, PII, administrative information, and technical vulnerabilities. Additionally, by compromising the website platform, an attacker may be able to repurpose the website infrastructure as a platform from which they can launch attacks against other systems.How can I improve my cybersecurity protection against website attacks?

Organizations and individuals can protect their websites by applying the following the best practices to their web servers:

Implement the principle of least privilege. Ensure that all users have the least amount of privilege necessary on the web server (including interactive end users and service accounts).

Change default vendor usernames and passwords. Default vendor credentials are not secure—they are usually readily available on the internet. Changing default usernames and passwords will prevent an attack that leverages default credentials.

Disable unnecessary accounts. Disable accounts that are no longer necessary, such as guest accounts or individual user accounts that are no longer in use.

Use security checklists. Audit and harden configurations based on security checklists specific to each application (e.g., Apache, MySQL) on the system.

Use application whitelisting. Use application whitelisting and disable modules or features that provide capabilities that are not necessary for business needs.

Use network segmentation and segregation. Network segmentation and segregation makes it more difficult for attackers to move laterally within connected networks. For example, placing the web server in a properly configured demilitarized zone (DMZ) limits the type of network traffic permitted between systems in the DMZ and systems in the internal corporate network.

Know where your assets are. You must know where your assets are in order to protect them. For example, if you have data that does not need to be on the web server, remove it to protect it from public access.

Protect the assets on the web server. Protect assets on the web server with multiple layers of defense (e.g., limited user access, encryption at rest).

Practice healthy cyber hygiene.

Patch systems at all levels—from web applications and backend database applications, to operating systems and hypervisors.

Perform routine backups, and test disaster recovery scenarios.

Configure extended logging and send the logs to a centralized log server.

What are some additional steps I can take to protect against website attacks?

Sanitize all user input. Sanitize user input, such as special characters and null characters, at both the client end and the server end. Sanitizing user input is especially critical when it is incorporated into scripts or structured query language statements.

Implement a Content Security Policy (CSP). Website owners should also consider implementing a CSP. Implementing a CSP lessens the chances of an attacker successfully loading and running malicious JavaScript on the end user machine.

Audit third-party code. Audit third-party services (e.g., ads, analytics) to validate that no unexpected code is being delivered to the end user. Website owners should weigh the pros and cons of vetting the third-party code and hosting it on the web server (as opposed to loading the code from the third party).

Implement hypertext transfer protocol secure (HTTPS) and HTTP strict transport security (HSTS). Website visitors expect their privacy to be protected. To ensure communications between the website and user are encrypted, always enforce the use of HTTPS, and enforce the use of HSTS where possible. For further information and guidance, see the U.S. Chief Information Officer (CIO) and the Federal CIO Council’s webpage on the HTTPS-Only Standard.

Implement additional security measures. Additional measures include

Running static and dynamic security scans against the website code and system,

In addition to effectively securing sensitive information on electronic devices, it is important to follow best practices for electronic device disposal. Computers, smartphones, and cameras allow you to keep a great deal of information at your fingertips, but when you dispose of, donate, or recycle a device you may inadvertently disclose sensitive information which could be exploited by cyber criminals.
Types of electronic devices include:

Computers, Smartphones, and Tablets — electronic devices that can automatically store and process data; most contain a central processing unit and memory, and use an operating system that runs programs and applications.

There are a variety of methods for permanently erasing data from your devices (also called sanitizing). Because methods of sanitization vary according to device, it is important to use the method that applies to that particular device.
Methods for sanitization include:

Backing Up Data. Saving your data to another device or a second location (e.g., an external hard drive or the cloud) can help you recover your data if your device is stolen. Options for digital storage include cloud data services, CDs, DVDs, and removable flash drives or removable hard drives (see ST08-001 Using Caution with USB Drives and ST04-020 Protecting Portable Devices: Data Security for more information). Backing up your data can also help you identify exactly what information a thief may have been able to access.

Deleting Data. Removing data from your device can be one method of sanitization. When you delete files from a device—although the files may appear to have been removed—data remains on the media even after a delete or format command is executed. Do not rely solely on the deletion method you routinely use, such as moving a file to the trash or recycle bin or selecting “delete” from the menu. Even if you empty the trash, the deleted files are still on device and can be retrieved. Permanent data deletion requires several steps.

Computers. Use a disk cleaning software designed to permanently remove the data stored on a computer hard drive to prevent the possibility of recovery.

Secure erase. This is a set of commands in the firmware of most computer hard drives. If you select a program that runs the secure erase command set, it will erase the data by overwriting all areas of the hard drive.

Disk wiping. This is a utility that erases sensitive information on hard drives and securely wipes flash drives and secure digital cards.

Smartphones and Tablets. Ensure that all data is removed from your device by performing a “hard reset.” This will return the device to its original factory settings. Each device has a different hard reset procedure, but most smartphones and tablets can be reset through their settings. In addition, physically remove the memory card and the subscriber identity module card, if your device has one.

Office Equipment (e.g., copiers, printers, fax machines, multifunction devices). Remove any memory cards from the equipment. Perform a full manufacture reset to restore the equipment to its factory default.

Overwriting. Another method of sanitization is to delete sensitive information and write new binary data over it. Using random data instead of easily identifiable patterns makes it harder for attackers to discover the original information underneath. Since data stored on a computer is written in binary code—strings of 0s and 1s—one method of overwriting is to zero-fill a hard disk and select programs that use all zeros in the last layer. Users should overwrite the entire hard disk and add multiple layers of new data (three to seven passes of new binary data) to prevent attackers from obtaining the original data.

Cipher.exe is a built-in command-line tool in Microsoft Windows operating systems that can be used to encrypt or decrypt data on New Technology File System drives. This tool also securely deletes data by overwriting it.

Clearing is a level of media sanitation that does not allow information to be retrieved by data, disk, or file recovery utilities. The National Institute of Standards and Technology (NIST) notes that devices must be resistant to keystroke recovery attempts from standard input devices (e.g., a keyboard or mouse) and from data scavenging tools.

Destroying. Physical destruction of a device is the ultimate way to prevent others from retrieving your information. Specialized services are available that will disintegrate, burn, melt, or pulverize your computer drive and other devices. These sanitization methods are designed to completely destroy the media and are typically carried out at an outsourced metal destruction or licensed incineration facility. If you choose not to use a service, you can destroy your hard drive by driving nails or drilling holes into the device yourself. The remaining physical pieces of the drive must be small enough (at least 1/125 inches) that your information cannot be reconstructed from them. There are also hardware devices available that erase CDs and DVDs by destroying their surface.

Solid-State Destruction. The destruction of all data storage chip memory by crushing, shredding, or disintegration is called solid-state destruction. Solid-State Drives should be destroyed with devices that are specifically engineered for this purpose.

CD and DVD Destruction. Many office and home paper shredders can shred CDs and DVDs (be sure to check that the shredder you are using can shred CDs and DVDs before attempting this method).

In addition to effectively securing sensitive information on electronic devices, it is important to follow best practices for electronic device disposal. Computers, smartphones, and cameras allow you to keep a great deal of information at your fingertips, but when you dispose of, donate, or recycle a device you may inadvertently disclose sensitive information which could be exploited by cyber criminals.
Types of electronic devices include:

Computers, Smartphones, and Tablets — electronic devices that can automatically store and process data; most contain a central processing unit and memory, and use an operating system that runs programs and applications.

There are a variety of methods for permanently erasing data from your devices (also called sanitizing). Because methods of sanitization vary according to device, it is important to use the method that applies to that particular device.
Methods for sanitization include:

Backing Up Data. Saving your data to another device or a second location (e.g., an external hard drive or the cloud) can help you recover your data if your device is stolen. Options for digital storage include cloud data services, CDs, DVDs, and removable flash drives or removable hard drives (see ST08-001 Using Caution with USB Drives and ST04-020 Protecting Portable Devices: Data Security for more information). Backing up your data can also help you identify exactly what information a thief may have been able to access.

Deleting Data. Removing data from your device can be one method of sanitization. When you delete files from a device—although the files may appear to have been removed—data remains on the media even after a delete or format command is executed. Do not rely solely on the deletion method you routinely use, such as moving a file to the trash or recycle bin or selecting “delete” from the menu. Even if you empty the trash, the deleted files are still on device and can be retrieved. Permanent data deletion requires several steps.

Computers. Use a disk cleaning software designed to permanently remove the data stored on a computer hard drive to prevent the possibility of recovery.

Secure erase. This is a set of commands in the firmware of most computer hard drives. If you select a program that runs the secure erase command set, it will erase the data by overwriting all areas of the hard drive.

Disk wiping. This is a utility that erases sensitive information on hard drives and securely wipes flash drives and secure digital cards.

Smartphones and Tablets. Ensure that all data is removed from your device by performing a “hard reset.” This will return the device to its original factory settings. Each device has a different hard reset procedure, but most smartphones and tablets can be reset through their settings. In addition, physically remove the memory card and the subscriber identity module card, if your device has one.

Office Equipment (e.g., copiers, printers, fax machines, multifunction devices). Remove any memory cards from the equipment. Perform a full manufacture reset to restore the equipment to its factory default.

Overwriting. Another method of sanitization is to delete sensitive information and write new binary data over it. Using random data instead of easily identifiable patterns makes it harder for attackers to discover the original information underneath. Since data stored on a computer is written in binary code—strings of 0s and 1s—one method of overwriting is to zero-fill a hard disk and select programs that use all zeros in the last layer. Users should overwrite the entire hard disk and add multiple layers of new data (three to seven passes of new binary data) to prevent attackers from obtaining the original data.

Cipher.exe is a built-in command-line tool in Microsoft Windows operating systems that can be used to encrypt or decrypt data on New Technology File System drives. This tool also securely deletes data by overwriting it.

Clearing is a level of media sanitation that does not allow information to be retrieved by data, disk, or file recovery utilities. The National Institute of Standards and Technology (NIST) notes that devices must be resistant to keystroke recovery attempts from standard input devices (e.g., a keyboard or mouse) and from data scavenging tools.

Destroying. Physical destruction of a device is the ultimate way to prevent others from retrieving your information. Specialized services are available that will disintegrate, burn, melt, or pulverize your computer drive and other devices. These sanitization methods are designed to completely destroy the media and are typically carried out at an outsourced metal destruction or licensed incineration facility. If you choose not to use a service, you can destroy your hard drive by driving nails or drilling holes into the device yourself. The remaining physical pieces of the drive must be small enough (at least 1/125 inches) that your information cannot be reconstructed from them. There are also hardware devices available that erase CDs and DVDs by destroying their surface.

Solid-State Destruction. The destruction of all data storage chip memory by crushing, shredding, or disintegration is called solid-state destruction. Solid-State Drives should be destroyed with devices that are specifically engineered for this purpose.

CD and DVD Destruction. Many office and home paper shredders can shred CDs and DVDs (be sure to check that the shredder you are using can shred CDs and DVDs before attempting this method).

Malicious code is unwanted files or programs that can cause harm to a computer or compromise data stored on a computer. Various classifications of malicious code include viruses, worms, and Trojan horses.

Viruses have the ability to damage or destroy files on a computer system and are spread by sharing an already infected removable media, opening malicious email attachments, and visiting malicious web pages.

Worms are a type of virus that self-propagates from computer to computer. Its functionality is to use all of your computer’s resources, which can cause your computer to stop responding.

Trojan Horses are computer programs that are hiding a virus or a potentially damaging program. It is not uncommon that free software contains a Trojan horse making a user think they are using legitimate software, instead the program is performing malicious actions on your computer.

How can you protect yourself against malicious code?

Following these security practices can help you reduce the risks associated with malicious code:

Install and maintain antivirus software. Antivirus software recognizes malware and protects your computer against it. Installing antivirus software from a reputable vendor is an important step in preventing and detecting infections. Always visit vendor sites directly rather than clicking on advertisements or email links. Because attackers are continually creating new viruses and other forms of malicious code, it is important to keep your antivirus software up-to-date.

Use caution with links and attachments. Take appropriate precautions when using email and web browsers to reduce the risk of an infection. Be wary of unsolicited email attachments and use caution when clicking on email links, even if they seem to come from people you know. (See Using Caution with Email Attachments for more information.)

Block pop-up advertisements. Pop-up blockers disable windows that could potentially contain malicious code. Most browsers have a free feature that can be enabled to block pop-up advertisements.

Use an account with limited permissions. When navigating the web, it is a good security practice to use an account with limited permissions. If you do become infected, restricted permissions keep the malicious code from spreading and escalating to an administrative account.

Change your passwords. If you believe your computer is infected, change your passwords. This includes any passwords for websites that may have been cached in your web browser. Create and use strong passwords, making them difficult for attackers to guess. (See Choosing and Protecting Passwords and Supplementing Passwords for more information.)

Keep software updated. Install software patches on your computer so attackers do not take advantage of known vulnerabilities. Consider enabling automatic updates, when available. (See Understanding Patches and Software Updates for more information.)

Back up data. Regularly back up your documents, photos, and important email messages to the cloud or to an external hard drive. In the event of an infection, your information will not be lost.

Install or enable a firewall. Firewalls can prevent some types of infection by blocking malicious traffic before it enters your computer. Some operating systems include a firewall; if the operating system you are using includes one, enable it. (See Understanding Firewalls for Home and Small Office Use for more information.)

Use anti-spyware tools. Spyware is a common virus source, but you can minimize infections by using a program that identifies and removes spyware. Most antivirus software includes an anti-spyware option; ensure you enable it.

Avoid using public Wi-Fi. Unsecured public Wi-Fi may allow an attacker to intercept your device’s network traffic and gain access to your personal information.

What do you need to know about antivirus software?

Antivirus software scans computer files and memory for patterns that indicate the possible presence of malicious code. You can perform antivirus scans automatically or manually.

Automatic scans – Most antivirus software can scan specific files or directories automatically. New virus information is added frequently, so it is a good idea to take advantage of this option.

Manual scans – If your antivirus software does not automatically scan new files, you should manually scan files and media you receive from an outside source before opening them, including email attachments, web downloads, CDs, DVDs, and USBs.

Although anti-virus software can be a powerful tool in helping protect your computer, it can sometimes induce problems by interfering with the performance of your computer. Too much antivirus software can affect your computer’s performance and the software’s effectiveness.

Investigate your options in advance. Research available antivirus and anti-spyware software to determine the best choice for you. Consider the amount of malicious code the software recognizes and how frequently the virus definitions are updated. Also, check for known compatibility issues with other software you may be running on your computer.

Limit the number of programs you install. Packages that incorporate both antivirus and anti-spyware capabilities together are now available. If you decide to choose separate programs, you only need one antivirus program and one anti-spyware program. Installing more programs increases your risk for problems.

There are many antivirus software program vendors, and deciding which one to choose can be confusing. Antivirus software programs all typically perform the same type of functions, so your decision may be based on recommendations, features, availability, or price. Regardless of which package you choose, installing any antivirus software will increase your level of protection.How do you recover if you become a victim of malicious code?

Using antivirus software is the best way to defend your computer against malicious code. If you think your computer is infected, run your antivirus software program. Ideally, your antivirus program will identify any malicious code on your computer and quarantine them so they no longer affect your system. You should also consider these additional steps:

Minimize the damage. If you are at work and have access to an information technology (IT) department, contact them immediately. The sooner they can investigate and “clean” your computer, the less likely it is to cause additional damage to your computer—and other computers on the network. If you are on a home computer or laptop, disconnect your computer from the internet; this will prevent the attacker from accessing your system.

Remove the malicious code. If you have antivirus software installed on your computer, update the software and perform a manual scan of your entire system. If you do not have antivirus software, you can purchase it online or in a computer store. If the software cannot locate and remove the infection, you may need to reinstall your operating system, usually with a system restore disk. Note that reinstalling or restoring the operating system typically erases all of your files and any additional software that you have installed on your computer. After reinstalling the operating system and any other software, install all of the appropriate patches to fix known vulnerabilities.

Threats to your computer will continue to evolve. Although you cannot eliminate every hazard, by using caution, installing and using antivirus software, and following other simple security practices, you can significantly reduce your risk and strengthen your protection against malicious code. Author: NCCIC This product is provided subject to this Notification and this Privacy & Use policy.

Enterprise network security is the protection of a network that connects systems, mainframes, and devices?like smartphones and tablets?within an enterprise. Companies, universities, governments, and other entities use enterprise networks to help connect their users to information and people. As networks grow in size and complexity, security concerns also increase.What security threats do enterprise wireless networks face?

Unlike wired networks, which have robust security tools—such as firewalls, intrusion prevention systems, content filters, and antivirus and anti-malware detection programs—wireless networks (also called Wi-Fi) provide wireless access points that can be susceptible to infiltration. Because they may lack the same protections as wired networks, wireless networks and devices can fall victim to a variety of attacks designed to gain access to an enterprise network. An attacker could gain access to an organization’s network through a wireless access point to conduct malicious activities—including packet sniffing, creating rouge access points, password theft, and man-in-the-middle attacks. These attacks could hinder network connectivity, slow processes, or even crash the organization’s system. (See Securing Wireless Networks for more information on threats to wireless networks.)How can you minimize the risks to enterprise Wi-Fi networks?

Network security protocols have advanced to offset the constant evolution of attacks. Wi-Fi Protected Access 2 (WPA2) incorporates Advanced Encryption Standard (AES) and is the standard employed today to secure wireless enterprises. In June 2018, the Wi-Fi Alliance began certifying devices that support Wi-Fi Protected Access 3 (WPA3), which replaces WPA2. Users should employ the new standards as WPA3 devices become available. IT security professionals and network administrators should also consider these additional best practices to help safeguard their enterprise Wi-Fi networks:

Deploy a wireless intrusion detection system (WIDS) and a wireless intrusion prevention system (WIPS) on every network.

Ensure existing equipment is free from known vulnerabilities by updating all software in accordance with developer service pack issuance.

Establish multifactor authentication for access to your network. If this is not possible, consider other secure authentication means beyond a single shared password, such as Active Directory service authentication or an alternative method (e.g., tokens) to create multifactor authentication into your network.

Use Counter Mode Cipher Block Chaining Message Authentication Code Protocol, a form of AES encryption used by Wireless Application Protocol 2 (WAP) enterprise networks sparingly. If possible, use more complex encryption technologies that conform to FIPS 140-2 as they are developed and approved.

Implement a guest Wi-Fi network that is separate from the main network. Employ routers with multiple Service Set Identifiers (SSIDs) or engage other wireless isolation features to ensure that organizational information is not accessible to guest network traffic or by engaging other wireless isolation features.

What else can you do to secure your network?

Employing active WIDS/WIPS enables network administrators to create and enforce wireless security by monitoring, detecting, and mitigating potential risks. Both WIDS and WIPS will detect and automatically disconnect unauthorized devices. WIDS provides the ability to automatically monitor and detect the presence of any unauthorized, rogue access points, while WIPS deploys countermeasures to identified threats. Some common threats mitigated by WIPS are rogue access points, misconfigured access points, client misassociation, unauthorized association, man-in-the-middle attacks, ad-hoc networks, Media Access Control spoofing, honeypot/evil twin attacks, and denial-of-service attacks.
The following list includes best practices to secure WIDS/WIPS sensor networks. Administrators should tailor these practices based on local considerations and applicable compliance requirements. For more in-depth guidance, see A Guide to Securing Networks for Wi-Fi (IEEE 802.11 Family).

Use a rogue detection process capability. This capability should detect Wi-Fi access via a rogue client or WAP, regardless of the authentication or encryption techniques used by the offending device (e.g., network address translation, encrypted, soft WAPs).

Set the WIDS/WIPS sensors to

detect 802.11a/b/g/n/ac devices connected to the wired or wireless network and

detect and block multiple WAPs from a single sensor device over multiple wireless channels.

Enforce a “no Wi-Fi” policy per subnet and across multiple subnets.

Provide minimal secure communications between sensor and server, and identify a specific minimum allowable Kbps?the system shall provide automatic classification of clients and WAPs based upon enterprise policy and governance.

Provide automated (event-triggered) and scheduled reporting that is customizable.

Segment reporting and administration based on enterprise requirements.

Produce event logs and live packet captures over the air and display these directly on analyst workstations.

Import site drawings for site planning and location tracking requirements.

Manually create simple building layouts with auto-scale capability within the application.

Place sensors and WAPs electronically on building maps to maintain accurate records of sensor placement and future locations.

Have at least four different levels of permissions allowing WIPS administrators to delegate specific view and administrator privileges to other administrators.

The popularity of cryptocurrency, a form of digital currency, is rising; Bitcoin, Litecoin, Monero, Ethereum, and Ripple are just a few types of the cryptocurrencies available. Though cryptocurrency is a common topic of conversation, many people lack a basic understanding of cryptocurrency and the risks associated with it. This lack of awareness is contributing to the rise of individuals and organizations falling victim to illicit cryptocurrency mining activity.What is cryptocurrency?

Cryptocurrency is a digital currency used as a medium of exchange, similar to other currencies. However, unlike other currencies, cryptocurrency operates independently of a central bank and uses encryption techniques and blockchain technology to secure and verify transactions.What is cryptomining?

Cryptocurrency mining, or cryptomining, is simply the way in which cryptocurrency is earned. Individuals mine cryptocurrency by using cryptomining software to solve complex mathematical problems involved in validating transactions. Each solved equation verifies a transaction and earns a reward paid out in the cryptocurrency. Solving cryptographic calculations to mine cryptocurrency requires a massive amount of processing power.What is cryptojacking?

Cryptojacking occurs when malicious cyber actors exploit vulnerabilities—in webpages, software, and operating systems—to illicitly install cryptomining software on victim devices and systems. With the cryptomining software installed, the malicious cyber actors effectively hijack the processing power of the victim devices and systems to earn cryptocurrency. Additionally, malicious cyber actors may infect a website with cryptomining JavaScript code, which leverages a visitor’s processing power via their browser to mine cryptocurrency. Cryptojacking may result in the following consequences to victim devices, systems, and networks:

Degraded system and network performance because bandwidth and central processing unit (CPU) resources are monopolized by cryptomining activity;

Increased power consumption, system crashes, and potential physical damage from component failure due to the extreme temperatures caused by cryptomining;

Disruption of regular operations; and

Financial loss due to system downtime caused by component failure and the cost of restoring systems and files to full operation as well as the cost of the increased power consumption.

Cryptojacking involves maliciously installed programs that are persistent or non-persistent. Non-persistent cryptojacking usually occurs only while a user is visiting a particular webpage or has an internet browser open. Persistent cryptojacking continues to occur even after a user has stopped visiting the source that originally caused their system to perform mining activity.
Malicious actors distribute cryptojacking malware through weaponized mobile applications, botnets, and social media platforms by exploiting flaws in applications and servers, and by hijacking Wi-Fi hotspots.What types of systems and devices are at risk for cryptojacking?

Any internet-connected device with a CPU is susceptible to cryptojacking. The following are commonly targeted devices:

Computer systems and network devices – including those connected to information technology and Industrial Control System networks;

Mobile devices – devices are subject to the same vulnerabilities as computers; and

The following cybersecurity best practices can help you protect your internet-connected systems and devices against cryptojacking:

Use and maintain antivirus software. Antivirus software recognizes and protects a computer against malware, allowing the owner or operator to detect and remove a potentially unwanted program before it can do any damage. (See Understanding Anti-Virus Software.)

Keep software and operating systems up-to-date. Install software updates so that attackers cannot take advantage of known problems or vulnerabilities. (See Understanding Patches.)

Use strong passwords. Select passwords that will be difficult for attackers to guess, and use different passwords for different programs and devices. It is best to use long, strong passphrases or passwords that consist of at least 16 characters. (See Choosing and Protecting Passwords.)

Change default usernames and passwords. Default usernames and passwords are readily available to malicious actors. Change default passwords, as soon as possible, to a sufficiently strong and unique password.

Check system privilege policies. Review user accounts and verify that users with administrative rights have a need for those privileges. Restrict general user accounts from performing administrative functions.

Be wary of downloading files from websites. Avoid downloading files from untrusted websites. Look for an authentic website certificate when downloading files from a secure site. (See Understanding Web Site Certificates.)

Disable unnecessary services. Review all running services and disable those that are unnecessary for operations. Disabling or blocking some services may create problems by obstructing access to files, data, or devices.

Uninstall unused software. Review installed software applications and remove those not needed for operations. Many retail computer systems with pre-loaded operating systems come with toolbars, games, and adware installed, all of which can use excessive disk space and memory. These unnecessary applications can provide avenues for attackers to exploit a system.

Install a firewall. Firewalls may be able to prevent some types of attack vectors by blocking malicious traffic before it can enter a computer system, and by restricting unnecessary outbound communications. Some device operating systems include a firewall. Enable and properly configure the firewall as specified in the device or system owner’s manual. (See Understanding Firewalls.)

Create and monitor blacklists. Monitor industry reports of websites that are hosting, distributing, and being used for, malware command and control. Block the internet protocol addresses of known malicious sites to prevent devices from being able to access them.

Network infrastructure devices are ideal targets for malicious cyber actors. Most or all organizational and customer traffic must traverse these critical devices.

An attacker with presence on an organization’s gateway router can monitor, modify, and deny traffic to and from the organization.

An attacker with presence on an organization’s internal routing and switching infrastructure can monitor, modify, and deny traffic to and from key hosts inside the network and leverage trust relationships to conduct lateral movement to other hosts.

Organizations and individuals that use legacy, unencrypted protocols to manage hosts and services, make successful credential harvesting easy for these malicious cyber actors. Whoever controls the routing infrastructure of a network essentially controls the data flowing through the network.What are network infrastructure devices?

Network infrastructure devices are the physical components of a network that transport communications needed for data, applications, services, and multi-media. These devices include routers, firewalls, switches, servers, load-balancers, intrusion detection systems, domain name systems, and storage area networks.What security threats are associated with network infrastructure devices?

Network infrastructure devices are often easy targets for attackers. Once installed, many network devices are not maintained at the same security level as general-purpose desktops and servers. The following factors can also contribute to the vulnerability of network devices:

Few network devices—especially small office/home office and residential-class routers—run antivirus, integrity-maintenance, and other security tools that help protect general-purpose hosts.

Manufacturers build and distribute these network devices with exploitable services, which are enabled for ease of installation, operation, and maintenance.

Owners and operators of network devices often don’t change vendor default settings, harden them for operations, or perform regular patching.

Internet service providers may not replace equipment on a customer’s property once the equipment is no longer supported by the manufacturer or vendor.

Owners and operators often overlook network devices when they investigate, look for intruders, and restore general-purpose hosts after cyber intrusions.

How can you improve the security of network infrastructure devices?

NCCIC encourages users and network administrators to implement the following recommendations to better secure their network infrastructure:

Segment and segregate networks and functions.

Limit unnecessary lateral communications.

Harden network devices.

Secure access to infrastructure devices.

Perform Out-of-Band network management.

Validate integrity of hardware and software.

Segment and Segregate Networks and Functions

Security architects must consider the overall infrastructure layout, including segmentation and segregation. Proper network segmentation is an effective security mechanism to prevent an intruder from propagating exploits or laterally moving around an internal network. On a poorly segmented network, intruders are able to extend their impact to control critical devices or gain access to sensitive data and intellectual property. Segregation separates network segments based on role and functionality. A securely segregated network can contain malicious occurrences, reducing the impact from intruders in the event that they have gained a foothold somewhere inside the network.Physical Separation of Sensitive Information

Traditional network devices, such as routers, can separate local area network (LAN) segments. Organizations can place routers between networks to create boundaries, increase the number of broadcast domains, and effectively filter users’ broadcast traffic. Organizations can use these boundaries to contain security breaches by restricting traffic to separate segments and can even shut down segments of the network during an intrusion, restricting adversary access.Recommendations

Apply security recommendations and secure configurations to all network segments and network layers.

Virtual Separation of Sensitive Information

As technologies change, new strategies are developed to improve information technology efficiencies and network security controls. Virtual separation is the logical isolation of networks on the same physical network. Virtual segmentation uses the same design principles as physical segmentation but requires no additional hardware. Existing technologies can be used to prevent an intruder from breaching other internal network segments.Recommendations

Use private virtual LANs to isolate a user from the rest of the broadcast domains.

Use virtual routing and forwarding (VRF) technology to segment network traffic over multiple routing tables simultaneously on a single router.

Use virtual private networks (VPNs) to securely extend a host/network by tunneling through public or private networks.

Limit Unnecessary Lateral Communications

Allowing unfiltered peer-to-peer communications, including workstation-to-workstation, creates serious vulnerabilities and can allow a network intruder’s access to spread easily to multiple systems. Once an intruder establishes an effective beachhead within the network, unfiltered lateral communications allow the intruder to create backdoors throughout the network. Backdoors help the intruder maintain persistence within the network and hinder defenders’ efforts to contain and eradicate the intruder.Recommendations

Restrict communications using host-based firewall rules to deny the flow of packets from other hosts in the network. The firewall rules can be created to filter on a host device, user, program, or internet protocol (IP) address to limit access from services and systems.

Implement a VLAN Access Control List (VACL), a filter that controls access to and from VLANs. VACL filters should be created to deny packets the ability to flow to other VLANs.

A fundamental way to enhance network infrastructure security is to safeguard networking devices with secure configurations. Government agencies, organizations, and vendors supply a wide range of guidance to administrators—including benchmarks and best practices—on how to harden network devices. Administrators should implement the following recommendations in conjunction with laws, regulations, site security policies, standards, and industry best practices.Recommendations

Protect configuration files with encryption or access controls when sending, storing, and backing up files.

Secure Access to Infrastructure Devices

Administrative privileges can be granted to allow users access to resources that are not widely available. Limiting administrative privileges for infrastructure devices is crucial to security because intruders can exploit administrative privileges that are improperly authorized, granted widely, or not closely audited. Adversaries can use these compromised privileges to traverse a network, expand access, and take full control of the infrastructure backbone. Organizations can mitigate unauthorized infrastructure access by implementing secure access policies and procedures.Recommendations

Manage privileged access. Use a server that provides authentication, authorization, and accounting (AAA) services to store access information for network device management. An AAA server will enable network administrators to assign different privilege levels to users based on the principle of least privilege. When a user tries to execute an unauthorized command, it will be rejected. If possible, implement a hard-token authentication server in addition to using the AAA server. Using MFA makes it more difficult for intruders to steal and reuse credentials to gain access to network devices.

Manage administrative credentials. Take these actions if your system cannot meet the MFA best practice:

Change default passwords.

Recommend passwords to be at least 8 characters long, and allow passwords as long as 64 characters (or greater), in accordance with the National Institute of Standards and Technology’s SP 800-63B Digital Identity Guidelines and Canada’s User Authentication Guidance for Information Technology Systems ITSP.30.031 V3.

Check passwords against blacklists of unacceptable values, such as commonly used, expected, or compromised passwords.

Ensure all stored passwords are salted and hashed.

Keep passwords stored for emergency access in a protected off-network location, such as a safe.

Perform Out-of-Band Management

Out-of-Band (OoB) management uses alternate communication paths to remotely manage network infrastructure devices. These dedicated communication paths can vary in configuration to include anything from virtual tunneling to physical separation. Using OoB access to manage the network infrastructure will strengthen security by limiting access and separating user traffic from network management traffic. OoB management provides security monitoring and can perform corrective actions without allowing the adversary (even one who has already compromised a portion of the network) to observe these changes.
OoB management can be implemented physically, virtually, or through a hybrid of the two. Although additional physical network infrastructure additional infrastructure can be very expensive to implement and maintain, it is the most secure option for network managers to adopt. Virtual implementation is less costly but still requires significant configuration changes and administration. In some situations, such as access to remote locations, virtual encrypted tunnels may be the only viable option.Recommendations

Segregate standard network traffic from management traffic.

Ensure that management traffic on devices comes only from OoB.

Apply encryption to all management channels.

Encrypt all remote access to infrastructure devices such as terminal or dial-in servers.

Manage all administrative functions from a dedicated, fully patched host over a secure channel, preferably on OoB.

Products purchased through unauthorized channels are often counterfeit, secondary, or grey market devices. Numerous media reports have described the introduction of grey market hardware and software into the marketplace. Illegitimate hardware and software present a serious risk to users’ information and the overall integrity of the network environment. Grey market products can introduce risks to the network because they have not been thoroughly tested to meet quality standards. Purchasing products from the secondary market carries the risk of acquiring counterfeit, stolen, or second-hand devices because of supply chain breaches. Furthermore, breaches in the supply chain provide an opportunity for malicious software and hardware to be installed on the equipment. Compromised hardware and software can affect network performance and compromise the confidentiality, integrity, or availability of network assets. Finally, unauthorized or malicious software can be loaded onto a device after it is in operational use, so organizations should regularly check the integrity of software.Recommendations

Maintain strict control of the supply chain and purchase only from authorized resellers.

Require resellers to enforce integrity checks of the supply chain to validate hardware and software authenticity.